I am an e-Money researcher and crypto economist focused on expanding the circulation of nonpolitical digital currencies. My career has included senior influential posts at Sumitomo Bank, VISA, VeriSign, and Hushmail. Currently, I serve on the Board of Directors for the Bitcoin Foundation.

Key Disclosure Laws Can Be Used To Confiscate Bitcoin Assets

Jail time for refusing to comply with mandatory key disclosure hasn’t occurred in the United States yet. But, it’s already happening in jurisdictions such as the UK, where a 33-year-old man was incarcerated for refusing to turn over his decryption keys and a youth was jailed for not disclosing a 50-character encryption password to authorities.

Similarly harsh, key disclosure laws also exist in Australia and South Africa which compel individuals to surrender cryptographic keys to law enforcement without regard for the usual common law protection against self-incrimination.

Key disclosure laws may become the most important government tool in asset seizures and the war on money laundering. When charged with a criminal offense, that refers to the ability of the government to demand that you surrender your private encryption keys that decrypt your data. If your data is currency such as access control to various amounts of bitcoin on the block chain, then you have surrendered your financial transaction history and potentially the value itself.

These laws will impact not only money laundering prosecution but almost any asset protection strategy that attempts to maintain an element of financial privacy such as private banking or family trusts. Prior to all these money laundering laws being enacted, I once heard it said that the practice of moving money around was simply referred to as banking.

Doug Casey famously said that “it’s a completely artificial crime. It wasn’t even heard of 20 years ago, because the ‘crime’ didn’t exist.” Furthermore he said, “The War on Drugs may be where ‘money laundering’ originated as a crime, but today it has a lot more to do with something infinitely more important to the state: the War on Tax Evasion.” And, if they can’t track it from the outside via the banks and financial institutions, they’ll track it from the inside via access to an individual’s passwords and private keys.

In the United States, relevant case law has revolved around the Fifth Amendment privilege against self-incrimination as there is currently no specific law regarding key disclosure. The definition of a password is alarmingly broad too — all the way from an extension of your personal memory to an illegitimate tool that only hides something tangible from law enforcement.

The first case to address directly the question of whether a person can be compelled to reveal his or her encryption keys or password was In re Grand Jury Subpoena to Sebastien Boucher in 2009. Here a magistrate judge ruled that producing the passphrase for the encrypted hard drive would constitute self-incrimination, but on appeal the District Court overturned that decision, holding that decrypting and producing the complete contents would not constitute self-incrimination since Boucher initially cooperated in showing some of the computer files to border agents.

Next, there was the federal criminal case of United States v. Fricosu in 2010 in which the Federal District Court ordered a criminal defendant to decrypt the contents of an encrypted laptop. Although the defendant claimed Fifth Amendment rights against self-incrimination and the Electronic Frontier Foundation (EFF) filed an amicus curiae brief, the Court sided with the government in ruling that since defendant admitted to ownership of the laptop and knowledge of the passwords in a recorded conversation, the existence of evidence was a “forgone conclusion” and therefore Fifth Amendment privilege could not be implicated. In early 2012, the Tenth Circuit Court of Appeals rejected an appeal and let that decision stand.

In a blog post, Orin Kerr cited In re Weiss (703 F. 2d 653) in summarizing testimonial obduracy and what a future Court’s likely posture would be if defendant refuses to comply with a key disclosure order or claims to have forgotten the password. On the specific Fifth Amendment issue in United States v. Fricosu, Kerr states:

If I’m reading Fricosu correctly, the Court is not saying that there is no Fifth Amendment privilege against being forced to divulge a password. Rather, the Court is saying that the Fifth Amendment privilege can’t be asserted in a specific case where it is known based on the facts of the case that the computer belongs to the suspect and the suspect knows the password. Because the only incriminating message of being forced to decrypt the password — that the suspect has control over the computer — is already known, it is a “foregone conclusion” and the Fifth Amendment privilege cannot block the government’s application.

In another case upholding the constitutional right against forced decryption, the Eleventh Circuit Court of Appeals in United States v. Doe on February 24th, 2012 overturned a contempt of court ruling for refusing to decrypt. Arguing that without any specific knowledge of a hard drive’s file contents or file existence, the government cannot assert that certain items can be described with “reasonable particularity” and therefore compelling a defendant to produce those files would violate the Fifth Amendment’s protection against self-incrimination. The Electronic Frontier Foundation (EFF), which again filed an amicus curiae brief in the case, called it a major victory for constitutional rights in the digital age.

To say the cryptocurrency bitcoin is disruptive would be an understatement. Bitcoin not only disrupts payments and monetary sovereignty, it also disrupts the legal enforcement of anti-money laundering laws, asset seizure, and capital controls. It is very likely that a key disclosure case will make it to the U.S. Supreme Court where it is far from certain that the Fifth Amendment privilege, as it relates to a refusal to decrypt bitcoin assets, will be universally upheld.

Many observers have suggested defensive techniques that deploy TrueCrypt disk encryption with hidden volume partitions or PGP Whole Disk Encryption rendering the entire computer unbootable thereby making even file time and date stamps unavailable. Another legal strategy to complicate matters could be to split the passphrase with another person and claim that you are never in possession of the entire real passphrase. Then, at least there would be “plausible deniability” as to who provided the invalid portion of the passphrase or you would have a cellmate if held in contempt.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

I can see how key disclosure could be a problem if someone was storing an encrypted Bitcoin wallet on their hard drive. However, things get more interesting if we are talking about a brain wallet. A brain wallet, of course, is completely separate from any particular Bitcoin wallet file. It can be used to generate private keys that correspond to public keys in the Bitcoin block chain files, but that is about it. Could law enforcement or the courts really compel someone to turn over a brain wallet? Seems absurd.

There’s a difference between a common-law right against self-incrimination, and a supposed right to money that a court has ordered someone to pay. I’d guess the court could rule that a defendant could be ordered to divulge the key in the latter case but not the former.

I first heard the term “money laundering” in a _Rockford Files_ episode that was made in the 1970s, so it’s understated to say it wasn’t heard of 20 years ago. Once I inadvertenly left three 20-dollar bills in the pocket of a pair of jeans that I ran through the washer and dryer. Unquestionably a case of money laundering.

The principle would be to ascertain money flows represented by the data (using money as a method of identity tracking to prove guilt). Government could always seize the assets and sort it out later in court, which is what they tend to do now.

In the case of bitcoin, the private keys that open up traffic analysis from the inside also enable control of those assets. If it is a case of court-ordered garnishment or monetary judgment due, I disagree with you that a defendant could be ordered to divulge the key because the existence of bitcoin assets would not necessarily be a “foregone conclusion.”

To avoid the applicability of US vs. Fricosu (if you’re in the US), avoid mentioning the existence of the account over any non-secure medium, ever.

Also, if you want to claim that you’ve split the key with someone else, claim it’s with someone in a different jurisdiction — this will complicate matters healthily for the authorities.

If you actually split the key, use a cryptographically or information-theoretically secure “secret splitting” technique, so that divulging your portion of the key won’t help the authorities with decryption at all. See “Secret sharing” on Wikipedia or elsewhere for more info.

If you live in a place where key disclosure laws do not apply, and are planning a trip to a jurisdiction where they do, you can arrange this in advance with a friend.

From AbelsFire on BitcoinForum: This is a message I would post to your article, if blogs.forbes.com would stop blackholing my comments:

“The lesson we should talk from this is that you can’t rely on correct legal rulings from the courts.

Technology must be used to protect yourself that is sufficient to withstand even incorrect court decisions, or even outright corruption.

Even if some people object to including the government in their threat model one must consider that anything government can force you to do organized crime could also force you to do. Protecting yourself against either one protects you from both.”